mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
169 lines
6.6 KiB
Markdown
169 lines
6.6 KiB
Markdown
# Heap Functions Security Checks
|
|
|
|
{{#include ../../../banners/hacktricks-training.md}}
|
|
|
|
## unlink
|
|
|
|
For more info check:
|
|
|
|
|
|
{{#ref}}
|
|
unlink.md
|
|
{{#endref}}
|
|
|
|
This is a summary of the performed checks:
|
|
|
|
- Check if the indicated size of the chunk is the same as the `prev_size` indicated in the next chunk
|
|
- Error message: `corrupted size vs. prev_size`
|
|
- Check also that `P->fd->bk == P` and `P->bk->fw == P`
|
|
- Error message: `corrupted double-linked list`
|
|
- If the chunk is not small, check that `P->fd_nextsize->bk_nextsize == P` and `P->bk_nextsize->fd_nextsize == P`
|
|
- Error message: `corrupted double-linked list (not small)`
|
|
|
|
## \_int_malloc
|
|
|
|
For more info check:
|
|
|
|
|
|
{{#ref}}
|
|
malloc-and-sysmalloc.md
|
|
{{#endref}}
|
|
|
|
- **Checks during fast bin search:**
|
|
- If the chunk is misaligned:
|
|
- Error message: `malloc(): unaligned fastbin chunk detected 2`
|
|
- If the forward chunk is misaligned:
|
|
- Error message: `malloc(): unaligned fastbin chunk detected`
|
|
- If the returned chunk has a size that isn't correct because of it's index in the fast bin:
|
|
- Error message: `malloc(): memory corruption (fast)`
|
|
- If any chunk used to fill the tcache is misaligned:
|
|
- Error message: `malloc(): unaligned fastbin chunk detected 3`
|
|
- **Checks during small bin search:**
|
|
- If `victim->bk->fd != victim`:
|
|
- Error message: `malloc(): smallbin double linked list corrupted`
|
|
- **Checks during consolidate** performed for each fast bin chunk:
|
|
- If the chunk is unaligned trigger:
|
|
- Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
|
|
- If the chunk has a different size that the one it should because of the index it's in:
|
|
- Error message: `malloc_consolidate(): invalid chunk size`
|
|
- If the previous chunk is not in use and the previous chunk has a size different of the one indicated by prev_chunk:
|
|
- Error message: `corrupted size vs. prev_size in fastbins`
|
|
- **Checks during unsorted bin search**:
|
|
- If the chunk size is weird (too small or too big):
|
|
- Error message: `malloc(): invalid size (unsorted)`
|
|
- If the next chunk size is weird (too small or too big):
|
|
- Error message: `malloc(): invalid next size (unsorted)`
|
|
- If the previous size indicated by the next chunk differs from the size of the chunk:
|
|
- Error message: `malloc(): mismatching next->prev_size (unsorted)`
|
|
- If not `victim->bck->fd == victim` or not `victim->fd == av (arena)`:
|
|
- Error message: `malloc(): unsorted double linked list corrupted`
|
|
- As we are always checking the las one, it's fd should be pointing always to the arena struct.
|
|
- If the next chunk isn't indicating that the previous is in use:
|
|
- Error message: `malloc(): invalid next->prev_inuse (unsorted)`
|
|
- If `fwd->bk_nextsize->fd_nextsize != fwd`:
|
|
- Error message: `malloc(): largebin double linked list corrupted (nextsize)`
|
|
- If `fwd->bk->fd != fwd`:
|
|
- Error message: `malloc(): largebin double linked list corrupted (bk)`
|
|
- **Checks during large bin (by index) search:**
|
|
- `bck->fd-> bk != bck`:
|
|
- Error message: `malloc(): corrupted unsorted chunks`
|
|
- **Checks during large bin (next bigger) search:**
|
|
- `bck->fd-> bk != bck`:
|
|
- Error message: `malloc(): corrupted unsorted chunks2`
|
|
- **Checks during Top chunk use:**
|
|
- `chunksize(av->top) > av->system_mem`:
|
|
- Error message: `malloc(): corrupted top size`
|
|
|
|
## `tcache_get_n`
|
|
|
|
- **Checks in `tcache_get_n`:**
|
|
- If chunk is misaligned:
|
|
- Error message: `malloc(): unaligned tcache chunk detected`
|
|
|
|
## `tcache_thread_shutdown`
|
|
|
|
- **Checks in `tcache_thread_shutdown`:**
|
|
- If chunk is misaligned:
|
|
- Error message: `tcache_thread_shutdown(): unaligned tcache chunk detected`
|
|
|
|
## `__libc_realloc`
|
|
|
|
- **Checks in `__libc_realloc`:**
|
|
- If old pointer is misaligned or the size was incorrect:
|
|
- Error message: `realloc(): invalid pointer`
|
|
|
|
## `_int_free`
|
|
|
|
For more info check:
|
|
|
|
|
|
{{#ref}}
|
|
free.md
|
|
{{#endref}}
|
|
|
|
- **Checks during the start of `_int_free`:**
|
|
- Pointer is aligned:
|
|
- Error message: `free(): invalid pointer`
|
|
- Size larger than `MINSIZE` and size also aligned:
|
|
- Error message: `free(): invalid size`
|
|
- **Checks in `_int_free` tcache:**
|
|
- If there are more entries than `mp_.tcache_count`:
|
|
- Error message: `free(): too many chunks detected in tcache`
|
|
- If the entry is not aligned:
|
|
- Error message: `free(): unaligned chunk detected in tcache 2`
|
|
- If the freed chunk was already freed and is present as chunk in the tcache:
|
|
- Error message: `free(): double free detected in tcache 2`
|
|
- **Checks in `_int_free` fast bin:**
|
|
- If the size of the chunk is invalid (too big or small) trigger:
|
|
- Error message: `free(): invalid next size (fast)`
|
|
- If the added chunk was already the top of the fast bin:
|
|
- Error message: `double free or corruption (fasttop)`
|
|
- If the size of the chunk at the top has a different size of the chunk we are adding:
|
|
- Error message: `invalid fastbin entry (free)`
|
|
|
|
## **`_int_free_merge_chunk`**
|
|
|
|
- **Checks in `_int_free_merge_chunk`:**
|
|
- If the chunk is the top chunk:
|
|
- Error message: `double free or corruption (top)`
|
|
- If the next chunk is outside of the boundaries of the arena:
|
|
- Error message: `double free or corruption (out)`
|
|
- If the chunk is not marked as used (in the prev_inuse from the following chunk):
|
|
- Error message: `double free or corruption (!prev)`
|
|
- If the next chunk has a too little size or too big:
|
|
- Error message: `free(): invalid next size (normal)`
|
|
- If the previous chunk is not in use, it will try to consolidate. But, if the `prev_size` differs from the size indicated in the previous chunk:
|
|
- Error message: `corrupted size vs. prev_size while consolidating`
|
|
|
|
## **`_int_free_create_chunk`**
|
|
|
|
- **Checks in `_int_free_create_chunk`:**
|
|
- Adding a chunk into the unsorted bin, check if `unsorted_chunks(av)->fd->bk == unsorted_chunks(av)`:
|
|
- Error message: `free(): corrupted unsorted chunks`
|
|
|
|
## `do_check_malloc_state`
|
|
|
|
- **Checks in `do_check_malloc_state`:**
|
|
- If misaligned fast bin chunk:
|
|
- Error message: `do_check_malloc_state(): unaligned fastbin chunk detected`
|
|
|
|
## `malloc_consolidate`
|
|
|
|
- **Checks in `malloc_consolidate`:**
|
|
- If misaligned fast bin chunk:
|
|
- Error message: `malloc_consolidate(): unaligned fastbin chunk detected`
|
|
- If incorrect fast bin chunk size:
|
|
- Error message: `malloc_consolidate(): invalid chunk size`
|
|
|
|
## `_int_realloc`
|
|
|
|
- **Checks in `_int_realloc`:**
|
|
- Size is too big or too small:
|
|
- Error message: `realloc(): invalid old size`
|
|
- Size of the next chunk is too big or too small:
|
|
- Error message: `realloc(): invalid next size`
|
|
|
|
{{#include ../../../banners/hacktricks-training.md}}
|
|
|
|
|